From vladi_slav at abv.bg  Tue Oct 20 09:28:48 2020
From: vladi_slav at abv.bg (Vladi_slav Vassilev)
Date: Tue, 20 Oct 2020 12:28:48 +0300 (EEST)
Subject: [tac_plus] Integration between TACACS+ and Cisco ACI
Message-ID: <323788948.1251700.1603186128621@nm2.abv.bg>

  Hello Team,  

   














  Could you please help us? We are
trying to integrate Cisco ACI with shrubbery TACACS+ (version - tac_plus-4.0.3-2.i386.rpm).
Unfortunately not successfully, our TACAC+ config is as follows:    

   
   

  host =
EO_devices {    

   














  key = test    

   














  address = 10.10.10.10    

  }    

   













































      

  group =
admin_EO_ACI {    

   






  default service = permit    

   






  service = shell {    

   





























  set
domains=all/read-all    

   






  }    

  }    

   
   

  user = user
{    

   






  member = admin_EO_ACI at EO_devices    

 
 

  
In the log we see - <i style="mso-bidi-font-style:
normal"> authentication.log:2020-10-20 12:09:58 +0300 


  10.10.10.10: pap login for 'gosho' from 100.100.100.100
on REST failed (denied)      

   
   

  
 
 
 
 
 
 

  Cisco?s doc -  https://community.cisco.com/t5/data-center-documents/configuring-tacacs-authentication-to-aci-fabric-with-cisco-acs/ta-p/3228328 
we see that we need to add Unix ID after domains=all? we tried the result was
the sam:      
   group = admin_EO_ACI {  
 
 
 
 default service = permit  
 
 
 
 service = shell {  
 
 
 
 domains=all/admin/(16005)
  
 
 
 
 }      } 

   
   

  BR,  

  Vlad     
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20201020/9fdd155b/attachment.htm>

From heas at shrubbery.net  Tue Oct 20 21:27:26 2020
From: heas at shrubbery.net (john heasley)
Date: Tue, 20 Oct 2020 21:27:26 +0000
Subject: [tac_plus] Integration between TACACS+ and Cisco ACI
In-Reply-To: <323788948.1251700.1603186128621@nm2.abv.bg>
References: <323788948.1251700.1603186128621@nm2.abv.bg>
Message-ID: <20201020212726.GE99511@shrubbery.net>

Tue, Oct 20, 2020 at 12:28:48PM +0300, Vladi_slav Vassilev:
>   Could you please help us? We are
> trying to integrate Cisco ACI with shrubbery TACACS+ (version - tac_plus-4.0.3-2.i386.rpm).
> Unfortunately not successfully, our TACAC+ config is as follows:    
> 
>   host =
> EO_devices {    
>   key = test    
>   address = 10.10.10.10    
>   }    
> 
>   group =
> admin_EO_ACI {    
>   default service = permit    
>   service = shell {    
>   set
> domains=all/read-all    
>   }    
>   }    
> 
>   user = user
> {    
>   member = admin_EO_ACI at EO_devices    
>   
> In the log we see - <i style="mso-bidi-font-style:
> normal"> authentication.log:2020-10-20 12:09:58 +0300 
> 
>   10.10.10.10: pap login for 'gosho' from 100.100.100.100 on REST failed (denied)      
                 ^^^

I suspect that the device is requesting service ppp.  perhaps enable debug
logging to collect more info about theservice being requested; -d 16.

>   Cisco?s doc -  https://community.cisco.com/t5/data-center-documents/configuring-tacacs-authentication-to-aci-fabric-with-cisco-acs/ta-p/3228328 
> we see that we need to add Unix ID after domains=all? we tried the result was
> the sam:      
>    group = admin_EO_ACI {  
>  default service = permit  
>  service = shell {  
>  domains=all/admin/(16005)
>  }      } 
> 
>   BR,  
> 
>   Vlad     
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20201020/9fdd155b/attachment.htm>
> _______________________________________________
> tac_plus mailing list
> tac_plus at www.shrubbery.net
> https://www.shrubbery.net/mailman/listinfo/tac_plus